智能合约安全漏洞检测研究进展
作者:
作者单位:

作者简介:

通讯作者:

中图分类号:

基金项目:

江苏省前沿引领技术基础研究专项(BK202002001);国家自然科学基金(61702041);北京信息科技大学“勤信人才”培育计划(QXTCPC201906)


Research Progress of Security Vulnerability Detection of Smart Contracts
Author:
Affiliation:

Fund Project:

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    智能合约是运行在区块链合约层的计算机程序, 能够管理区块链上的加密数字货币和数据, 实现多样化的业务逻辑, 扩展了区块链的应用. 由于智能合约中通常涉及大量资产, 吸引了大量攻击者试图利用其中的安全漏洞获得经济利益. 近年来, 随着多起智能合约安全事件的发生(例如TheDAO、Parity安全事件等), 针对智能合约的安全漏洞检测技术成为国内外研究热点. 提出智能合约安全漏洞检测的研究框架, 分别从漏洞发现与识别、漏洞分析与检测、数据集与评价指标这3个方面分析现有检测方法研究进展. 首先, 梳理安全漏洞信息收集的基本流程, 将已知漏洞根据基础特征归纳为13种漏洞类型并提出智能合约安全漏洞分类框架; 然后, 按照符号执行、模糊测试、机器学习、形式化验证和静态分析5类检测技术对现有研究进行分析, 并讨论各类技术的优势及局限性; 第三, 整理常用的数据集和评价指标; 最后, 对智能合约安全漏洞检测的未来研究方向提出展望.

    Abstract:

    Smart contracts are computer programs running in the contract layer of the blockchain, which can be used to manage cryptocurrencies and data on the blockchain, realize diverse business logic, and expand the application of the blockchain. A large number of assets are stored in smart contracts, which attract attackers to steal the assets and obtain economic benefits via security vulnerabilities. In recent years, with the frequent occurrence of smart contract security incidents (such as TheDAO and Parity security incidents), the security vulnerability detection technique for smart contracts has become a hot research topic. This study proposes a research framework for detecting security vulnerabilities of smart contracts and analyzes the research progress of existing vulnerability detection techniques from three aspects: vulnerability discovery and identification, vulnerability analysis and detection, and dataset and evaluation indicators. Firstly, the basic process of collecting security vulnerability information is sorted out, and the security vulnerabilities are classified into 13 types according to their basic characteristics. A classification framework for security vulnerabilities of smart contracts is proposed. Secondly, existing techniques are studied in terms of symbolic execution, fuzzing testing, machine learning, formal verification, and static analysis, and the advantages and limitations of each technique are analyzed. Thirdly, the commonly used datasets and evaluation indicators are summarized. Finally, potential research directions for security vulnerability detection of smart contracts in the future are discussed.

    参考文献
    相似文献
    引证文献
引用本文

崔展齐,杨慧文,陈翔,王林章.智能合约安全漏洞检测研究进展.软件学报,2024,35(5):2235-2267

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2022-04-07
  • 最后修改日期:2023-05-10
  • 录用日期:
  • 在线发布日期: 2024-01-03
  • 出版日期: 2024-05-06
文章二维码
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号